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DETAILED ACTION 

1 . The amendment filed on 9/04/2007 has been entered and fully considered. 

2. Claims 1-20 are pending. Claims 1, 14, and 15 are the base independent claims. 

Claim Rejections - 35 USC § 103 

3. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

4. Claims 1-20 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Shanklin et al (US 6, 578, 147), hereinafter referred to as Shanklin, in view of Salapura 
et al (US 6, 904, 040), hereinafter referred to as Salapura and Blair (US 6, 778, 495 B1). 

Shanklin teaches a multi-processor (i.e. parallel processor) intrusion detector 
with load balancing for high-speed networks. 

5. Regarding claims 1, 14, and 15, Shanklin teaches a method , a computer 
program product, and system for routing data packets for network flow analysis by a 
multi-processor system having a plurality of processors (See Figure 2 and 3; Sensors 
21 and 31 in Figures 2 and 3 respectively make up the multi-processor system), 
comprising: receiving a data packet, the data packet comprising data sufficient to 
identify a network connection with which the data packet is associated (See Column 
4:32-40 and Column 6:9-13); and assigning the data to one of the plurality of 
processors for analysis. (See Column 3:30, Column 5:22-29, 55-60 and Column 7:54- 
57) wherein each of the processors is configured to perform concurrentiv two or more 
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network flow analysis related tasks and data packets are assigned to processors in a 
manner that enables use of the respective processors to be maximized even if the split 
of information flows between tasks is uneven : {This limitationis adequately 
addressed by the Primary Reference, i.e. Shanklin, in that Shanldin teaches that 
each processor (IDS Sensor) as shown in Figures 2 and 4 handles two or more 
sessions. For instance in Figure 2, one of the IDS Sensor 21 handles sessions S1 
and S4. The processors are maximized because session based load balancing is 
used in Figures 2 and 4. However the split of information flows between sessions 
is uneven due to the simple fact that such a behavior is dictated by the nature of 
the traffic. For instance, the information flow between a video session and an 
Internet surfing session is definitely uneven. Please also refer to Column 7:20-67 
for further details) 

Shanklin fails to disclose calculating a hash value based on the data sufficient to 
identify the network connection with which the data packet is associated and assigning 
the data based on the hash value to one of the plurality of processors for analysis by 
using a number of bits of the hash value, wherein the number of bits used is determined 
at least in part by the number of processors included in the plurality of processors. 

Salapura teaches a packet-preprocessing interface for multiprocessor network 
handler 

Salapura discloses disclose calculating a hash value based on the data sufficient 
to identify the network connection (Column 4:25-30) with which the data packet is 
associated and assigning the data based on the hash value to one of the plurality of 
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processors for analysis by using a number of bits of the hash value, wherein the number 
of bits used is determined at least in part by the number of processors included in the 
plurality of processors. (See Columns 5:42-45, 6:18-21, 7:2-5) 

It would have been obvious to one having ordinary skill in the art at the time the 
invention was made to modify Shanklin's system to incorporate hash value calculation 
based on data sufficient to identify the network connection and using the hash value to 
identify and assign a processor to a specific session where data belonging to the 
specific session are routed to the same processor. The motivation being hash value 
calculation simplifies address lookup as it is low cost to implement and saves processor 
time as stated in Salapura in Columns 1:40-60 and 2:1-2,50-53 and further distributing 
the workload among the processors on a per session basis allows it to outperform 
conventional network handlers in terms of cost and processing efficiency as stated in 
Salapura in Column 7:5-10. 

Shanklin fails to disclose the number of bits of the hash value used to identify the 
processors/links is not necessarily the total number of bits. 

Blair teaches a method and system for each delay-bound flow, such as for a 
VOIP sen/ice, the sending node hashes the packet header data and applies all packets 
for the flow to one of the links assigned as a function of the hash value and different 
flow headers produce different hash results causing the node to send different flows 
over different links. 
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Blair discloses disclose the number of bits of the hash value used to identify the 
processors/links is not necessarily the total number of bits. (See Column 9:64-67 and 
Column 10:1-18) 

It would have been obvious to one having ordinary skill in the art at the time the 
invention was made to modify Shanklin's system to incorporate a step wherein the 
number of bits of the hash value used to identify the processors/links is not necessarily 
the total number of bits. The motivation to use only a portion of the hash value or result 
is that it allows the user to add links/processors (i.e. entities identified by the hash 
value) to the system without modifying the hashing function as stated by Blair in Column 
10:1-5. 

6. Regarding claim 2, Shanklin discloses a method wherein the data in the data 
packet is sufficient to identify the network connection with which the data packet is 
associated comprises address data. (See Column 3, Lines 25-26) 

7. Regarding claim 3, Shanklin discloses wherein the data sufficient to identify the 
network connection with which the data packet is associated comprises address data 
associated with a source computer that sent the data packet and address data 
associated with a destination computer to which the data packet is addressed. (See 
Column 3, Lines 25-26, Column 4 Lines 12-15 and 25-30) 

8. Regarding claim 4, Shanklin discloses wherein the data packet is sent using the 
TCP/IP suite of protocols and the data sufficient to identify the network connection with 
which the data packet is associated comprises an IP address and port number 
associated with the source computer that sent the data packet and an IP address and 
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port number associated witli the destination computer to which the data packet is 
addressed. (See Column 3, Lines 25-26, Column 4 Lines 12-15 and 25-30. Shanklin 
discloses the packets are sent using the TCP/IP protocol and the rest of the 
limitation is inherent to the protocol) 

9. Regarding claim 5. Shanklin teaches all aspects of the claimed invention as set 
forth in the rejection of claim 1 but fails to disclose a method further comprising storing 
the data packet in host memory associated with the multi-processor system. 

Salapura discloses a method further comprising storing the data packet in host 
memory associated with the multi-processor system. (See Figure 2, elements 14 and 
25 and Column 4:6-20) 

It would have been obvious to one having ordinary skill in the art at the time the 
invention was made to modify Shanklin's system to incorporate a method further 
comprising storing the data packet in host memory associated with the multi-processor 
system. The motivation to use a host memory shared by all processors is to reduce 
cost of using different memory with different controllers for different processors and 
Salapura uses a single DMA controller to interface with the different processors to store 
and retrieve data from the Direct Memory Access that serves as the host memory as 
stated in Salapura 4:35-37. 

10. Regarding claim 6, Shanklin teaches all aspects of the claimed invention as set 
forth in the rejection of claim 5 but fails to disclose a method, further comprising sending 
an interrupt message to a driver, the interrupt message comprising data identifying the 
storage location in host memory in which the data packet is stored. 
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Salapura discloses a method, further comprising sending an interrupt message to 
a driver, the interrupt message comprising data identifying the storage location in host 
memory in which the data packet is stored. (See Columns 1:32 and 6:22-29) 

It would have been obvious to one having ordinary skill in the art at the time the 
invention was made to modify Shanklin's system to incorporate a method of sending an 
interrupt message. The motivation for using an interrupt message is to awaken a 
processor for processing data, the end result being savings in processor time and 
simplification of address lookup as stated in Salapura in Columns 1:32 and 6:22-29. 

1 1 . Regarding claim 7, Shanklin teaches all aspects of the claimed invention as set 
forth in the rejection of claim 1 but fails to disclose a method further comprising storing 
the data packet in host memory associated with the multi-processor system and 
wherein the step of routing comprises sending to the one of the plurality of processors 
data identifying the storage location in host memory in which the data packet is stored. 

Salapura discloses a method further comprising storing the data packet in host 
memory associated with the multi-processor system and wherein the step of routing 
comprises sending to the one of the plurality of processors data identifying the storage 
location in host memory in which the data packet is stored. (See Salapura Columns 
5;1-10, 6:22-29, and Figure 3, step 60 as well as last step in Figure 4) 

12. Regarding claim 8, Shanklin teaches all aspects of the claimed invention as set 
forth in the rejection of claim 7 but fails to disclose a method wherein the step of 
sending to the one of the plurality of processors data identifying the storage location in 
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host system memory in which the data packet is stored comprises storing the data 
identifying the storage location in a work queue associated with the processor. 

Salapura discloses a method wherein the step of sending to the one of the 
plurality of processors data identifying the storage location in host system memory in 
which the data packet is stored comprises storing the data identifying the storage 
location in a work queue associated with the processor. (See Column 6:22-29 and 
Figure 2, element 15) 

13. Regarding claim 9, Shanklin teaches all aspects of the claimed invention as set 
forth in the rejection of claim 8 but fails to disclose a method wherein the work queue is 
a circular queue. 

Salapura discloses a method wherein the work queue is a circular queue. (See 
Column 4:10) 

14. With respect to claims 7-9, it would have been obvious to one having ordinary 
skill in the art at the time the invention was made to modify Shanklin's system to 
incorporate hash value calculation based network connection data and storing the data 
packet in host memory associated with the multi-processor system and the step of 
routing comprises sending to the one of the plurality of processors data identifying the 
storage location in a work queue in a host memory in which the data packet is stored. 
The motivation being these steps simplify address lookup, reduce processor time and 
provides a more efficient packet handling method in that it keeps packets sequences 
belonging to the same session intact by assigning the packets to a specific work queue 
belonging to a specific processor as stated in Salapura in Columns 1:45-61 and 2:50-67 
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15. Regarding claim 10, Shanklin discloses a method further comprising associating 
the data packet with one or more other data packets associated with the same network 
connection with which the received data packet is associated to recreate a network flow 
associated with the network connection. (See Column 3: 43-46) 

16. Regarding claim 11, Shanklin discloses a method further comprising analyzing 
the network flow to determine if any security-related event has occurred. (See Column 
3, Lines 55-65 and Column 5, Lines 30-40) 

17. Regarding claim 12, Shanklin discloses a method, wherein a security-related 
event is determined to have occurred if the network flow matches a pattern associated 
with a known attack. (See Column 5:30-40, Column 6:4-8, and Column 7:60-65) 

19. Regarding claim 13, Shanklin discloses a method wherein a security-related 
event is determined to have occurred if the network flow deviates from normal and 
permissible behavior under the network protocol under which the data packet was sent. 
(See Column 5:30-40, Column 6:4-8, and Column 7:60-65) 

20. Regarding claims 16 and 17, Shanklin discloses a system wherein the data 
sufficient to identify the network connection with which the data packet is associated 
comprises address data associated with a source computer that sent the data packet 
and address data associated with a destination computer to which the data packet is 
addressed. (See Columns 3:23-25, 4:32-40, 6:9-13, and 7:20-27) 

21 . Regarding claim 18, Shanklin discloses a system, wherein the data packet is 
sent using the TCP/IP suite of protocols and the data sufficient to identify the network 
connection with which the data packet is associated comprises an IP address and port 
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number associated with the source computer that sent the data packet and an IP 
address and port number associated with the destination computer to which the data 
packet is addressed. (In Column 4:12-32 Shanklin discloses that his system uses 
the TCP/IP suite of protocols including TCP, UDP, IP and ICMP. Examiner takes 
Official Notice that the TCP and UDP protocols provide port number associated 
with the source and the destination while IP protocol provides the IP address of 
the source as well as the destination. Please refer to Newton's Telecom 
dictionary 16^^ edition on pages 838-839) 

22. Regarding claim 19, Shanklin discloses a system, wherein the driver is further 
configured to associate the data packet with one or more other data packets associated 
with the same network connection with which the received data packet is associated to 
recreate a network flow associated with network connection. (See Column 7:54-59) 

23. Regarding claim 20, Shanklin discloses a system, wherein the driver is further 
configured to analyze the network flow to determine if any security-related event has 
occurred. (See Column 6:47-56) 

Response to Arguments 

24. In the Remarks, on page 6, Applicant argues with respect to amended 
independent claims 1 , 14, and 15 that the cited arts and in particular Salapura fails to 
teach the amended limitation that recites wherein each of the processors is configured 
to perform concurrently two or more network flow analvsis related tasks and data 
packets are assigned to processors in a manner that enables use of the respective 
processors to be maximized even if the split of information flows between tasks is 
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uneven. Applicant suggests that Salapura by teaching that the hash function 
distributes packets "uniformly" on a sequence basis in Column 7:31-35 fails to address 
the added new limitation. 

Examiner respectfully disagrees. The Primary Reference adequately teaches the 
network floW analysis aspects of the independent claims including the newly amended 
limitation as detailed in the rejection of the independent claims. Salapura was strictly 
introduced to teach the mechanism of hash function. Further, Salapura in Column 2: 
45-65 shows that for Fiber Channel a single information is a sequence and a sequence 
is made up of one or more packets. Salapura further indicates all packets from the 
same sequence are assigned to the same thread (i.e. processor) for processing. 
Hence Salapura teaches like the primary reference balancing on a sequence basis but 
the information flow between sequences can be unevenly split as different sequences 
contain different number of packets. Salapura's Column 7:31-35 simply states load 
balancing on a sequence basis makes the processors efficient and adequately reads on 
the newly added limitation of the independent claims. Therefore due to these 
compelling reasons the 103 rejection of all the independent claims is maintained. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Habte Mered whose telephone number is 571 272 6046. 
The examiner can normally be reached on Monday to Friday 9:30AM to 5:00PM. 
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. If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Doris H. To can be reached on 571 272 7629. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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